Certificate Template Usage

Certificates have the potential to be used by a wide variety of applications. After all, a certificate is simply a piece of data. The operating system and the applications are responsible for using that data to perform functions such as encrypting messages and authenticating connections.

However, there are many different templates designed to be used for various purposes. To specify how a certificate template can be used, you configure the application policies. Application policies, also known as extended key usage or enhanced key usage, give you the ability to specify which certificates can be used for which purposes. This allows you to issue certificates without being concerned that they will be misused.

For example, a certificate based on the Smartcard User template can be used by a user to send secure e-mail, to perform client authentication, and to logon by using a smart card. By default, it cannot be used to authenticate a server to a client, to recover files, to encrypt files, or to perform many other tasks that rely on a certificate. Further, the certificate can be issued only to a user, not to a computer.

The Smartcard User template, and many other templates, can be used for multiple functions. Using certificate templates with multiple functions is an excellent way to reduce the number of certificates that are needed in an organization. Many certificate templates, however, are single function only. Single-function certificate templates can be highly restricted and used only for a single function. For example, you could issue certificates for a sensitive operation, such as key recovery, with a short certificate lifetime of 2 months. You would not want to combine this certificate function with a function that is not as sensitive, such as an EFS certificate, because an EFS certificate should have a much longer lifetime.

Table 7.1 describes the user certificate templates included with Windows Server 2003. All user certificates included with Windows Server 2003 are version 1.

Table 7.1 Default User Certificate Templates

Name

Description

Administrator

Allows user authentication, EFS encryption, secure e-mail, and certif

icate trust list signing.

Authenticated Session

Authenticates a user to a Web server. The private key is used to sign

the authentication request.

Basic EFS

Encrypts and decrypts data by using EFS. The private key is used to

decrypt the file encryption key (FEK) that is used to encrypt and

decrypt the EFS-protected data.

Code Signing

Used to digitally sign software.

EFS Recovery Agent

Allows the subject to decrypt files previously encrypted with EFS.

Enrollment Agent

Used to request certificates on behalf of another subject.

Exchange Enrollment

Used to request certificates on behalf of another subject and supply

Agent (Offline request)

the subject name in the request.

Exchange Signature

Used by Exchange Key Management Service to issue certificates to

Only

Microsoft Exchange Server users for digitally signing e-mail.

Exchange User

Used by Exchange Key Management Service to issue certificates to

Exchange users for encrypting e-mail.

Smartcard Logon

Authenticates a user with the network by using a smart card.

Smartcard User

Identical to the Smartcard Logon template, except that it can also be

used to sign and encrypt e-mail.

Trust List Signing

Allows the holder to digitally sign a trust list.

User

Used by users for e-mail, EFS, and client authentication.

User Signature Only

Allows users to digitally sign data.

Table 7.2 describes the computer certificate templates included with Windows Server 2003.

Table 7.2 Default Computer Certificate Templates

Name

Description

Version

CA Exchange

Used to store keys that are configured for private key archival.

2

CEP Encryption

Allows the holder to act as a registration authority (RA) for Simple Certificate Enrollment Protocol (SCEP) requests.

1

Computer

Provides both client and server authentication abilities to a computer account. The default permissions for this template allow enrollment only by computers running Windows 2000 and Windows Server 2003 family operating systems that are not domain controllers.

1

Domain Controller

Used to authenticate Active Directory computers and users.

2

Authentication

IPSEC

Provides certificate-based authentication for computers by using IP Security (IPSec) for network communications.

1

IPSEC (Offline

Used by IPSec to digitally sign, encrypt, and decrypt net-

1

request)

work communication when the subject name is supplied in the request.

RAS and IAS Server

Enables Remote Access Services (RAS) and Internet Authentication Services (IAS) servers to authenticate their identities to other computers.

2

Router (Offline

Used by a router when requested through SCEP from a cer-

1

request)

tification authority that holds a Certificate Enrollment Protocol (CEP) Encryption certificate.

Web Server

Authenticates the Web server to connecting clients. The connecting clients use the public key to encrypt the data that is sent to the Web server when using Secure Sockets Layer (SSL) encryption.

1

Workstation

Enables client computers to authenticate their identities to

2

Authentication

servers.

Finally, there are a handful of service templates that cannot be neatly classified as user or computer certificate templates:

Cross-Certification Authority. Used for cross-certification and qualified subordination.

■ Directory E-mail Replication. Used to replicate e-mail within Active Directory.

Domain Controller. Provides both client and server authentication abilities to a computer account. Default permissions allow enrollment by only domain controllers.

Key Recovery Agent. Recovers private keys that are archived on the certification authority.

Root Certification Authority and Subordinate Certification Authority. Used to prove the identity of the certification authorities.

Off the Record A certificate template is nothing more than a collection of properties, requirements, and functions. When planning certificate templates, you are not bound to the templates that are included in Windows Server 2003. You can create your own templates to meet the needs of your organization. For example, you could create a template that is used for EFS and e-mail, that is only valid for one year, that archives the keys, and that does not support autoenrollment.

0 0

Post a comment